Survey reveals users take security training seriously, but may still engage in risky behaviour

SYDNEY, 2 July, 2020 – Trend Micro Incorporated (TYO: 4704; TSE: 4704), a global leader in cybersecurity solutions, today released survey results that show how remote workers address cybersecurity. More than two-thirds (67%) of Australian’s remoter workers say they are more conscious of their organisation’s cybersecurity policies since lockdown began, but many are breaking the rules anyway due to limited understanding or resource constraints.

Trend Micro’s Head in the Clouds study is distilled from interviews with 13,200 remote workers across 27 countries on their attitudes towards corporate cybersecurity and IT policies. It reveals that there has never been a better time for companies to take advantage of heightened employee cybersecurity awareness. The survey reveals that the approach businesses take to training is critical to ensure secure practices are being followed.

The results indicate a high level of security awareness in Australia, with 83% of respondents claiming they take instructions from their IT team seriously, and 78% agree that cybersecurity within their organisation is partly their responsibility. Additionally, 61% acknowledge that using non-work applications on a corporate device is a security risk.

However, just because most people understand the risks does not mean they stick to the rules.

For example:

• 51% of employees admit to using a non-work application on a corporate device, and 68% of them have actually uploaded corporate data to that application.
• 79% of respondents confess to using their work laptop for personal browsing, and only 31% of them fully restrict the sites they visit.
• 37% of respondents say they often or always access corporate data from a personal device – almost certainly breaking corporate security policy.
• 7% of respondents admit to watching / accessing porn on their work laptop, and 7% access the dark web.

Productivity still wins out over protection for many Australian users. A third of respondents (33%) agree that they do not give much thought to whether the apps they use are sanctioned by IT or not, as they just want the job done. Additionally, one-quarter (24%) think they can get away with using a non-work application, as the solutions provided by their company are ‘nonsense.’

Dr Linda K. Kaye, Cyberpsychology Academic at Edge Hill University explains: “There are a great number of individual differences across the workforce. This can include individual employee’s values, accountability within their organisation, as well as aspects of their personality, all of which are important factors which drive people’s behaviours. To develop more effective cybersecurity training and practices, more attention should be paid to these factors. This, in turn, can help organisations adopt more tailored or bespoke cybersecurity training with their employees, which may be more effective.”

Ashley Watkins, Managing Director, Commercial, Trend Micro ANZ, explains “Although there is a high level of security awareness in Australia, its concerning to see that some learned employee behaviour continues to create vulnerabilities for organisations. Whilst many employees are aware of the risks, the statistics show that this isn’t necessarily translating into action, so organisations need to identity and address this through training – now more than ever. Australian organisations are starting to determine their working from home policies into the future as restrictions ease and some slowly transition back to the office environment, so as part of this it’s important to ensure the existing awareness converts to clear process, policy and action.”

The Head in the Clouds study looks into the psychology of people’s behaviour in terms of cybersecurity, including their attitudes towards risk. It presents several common information security “personas” with the aim of helping organisations tailor their cybersecurity strategy in the right way for the right employee.